Verifying Integrity and Authenticity

To ensure integrity and authenticity of our software each folder contains some special files:

*sums

Containing different kind of checksums for each file in that folder, such as MD5 (md5sums) and SHA256 (sha256sums), to verify that the file you downloaded is the same that we produced.

*sums.asc

The *sums files were signed using GPG. The files *sums.asc contain the signatures, thus you can make sure, that the *sums files weren't modified/compromised. To verify the signature you need the public key 8D2DD9BD of Martin Scharm. If you don't already have it you can drop us an email or trust another web server and download the key.

Generate a Checksum

There are many tools available to generate checksums of files. Many are platform specific, but here are three common ways to calculate the MD5 sum of a file FILE:

md5sum FILE
openssl md5 < FILE
gpg --print-md MD5 FILE

Verify a Signature

To verify our signature you need to have the key 8D2DD9BD in your keyring. If that's the case simply run:

gpg --verify md5sums.asc md5sums

You should get an result that contains Good signature at some place.
authorship